2048. There is no plausible conventional attack on 2048; whatever breaks 2048 is probably going to break 4096, as I understand it.

https://crypto.stackexchange.com/questions/1978/how-big-an-r...

> Everyone doing anything with RSA is on 4k or larger.

The Let's Encrypt intermediate certificates R10 and R11 seem to be only 2048 bit.

They are? The short term recommendation is 3072, and I still see lots of 2048. Actually, it's mostly 2048.

Reminder to anyone if DKIM keys haven't been rotated in a while they might still be 1024. Eg., Google Workspace but new keys are 2048 now.

I took this conversation to be about ECC, not RSA.

Is it broken? Seems still no one solved RSA-1024 challenge.